Here, we have a guest post from Chris Schwartz, NTT Security’s threat researcher on the dark web.
When at war and facing an enemy, no words could be more accurate than Sun Tzu’s “If you know neither the enemy nor yourself, you will succumb in every battle.”
The logical question is “how does one begin to know the enemy?” The “easy” answer is to live their experiences, and in this case, it means actually navigating the dark web in a meaningful manner.
What is the dark web?
For a quick bit of background, the term “dark web” is derived from “Darknet”, coined in 2002 by four Microsoft employees who published an article arguing that the Darknet was the chief hindrance to the advance in working DRM technologies. The origination of the term was only to reference networks isolated from ARPANET in the 1970s.
The internet itself – especially the dark web – represents the modern cyber battlefield. The dark web is not a magical universe inhabited by evil. It is more like an extension of the public-facing open internet to which we are all accustomed. In fact, the dark web is different enough that you can’t just access it as easily as you can the open internet. It requires certain technologies and skills to access the best information.
The dark web includes websites, and marketplaces, some of which you cannot readily access, unless you are explicitly invited. It’s a culture as much as it is a place and knowing a little something about the dark web will help your chances of navigating it. Given the variety of information available, being active on the dark web can increase your own risk if you are not careful about what you are doing.
The dark web has stayed relatively decentralized and censorship free, so it certainly does have its legitimate uses. An example could be access by citizens of an authoritarian country in search of for unaltered media headlines or free speech in general. At the same time, the dark web is somewhat lawless, which helps it remain a massive underground for hacking, drugs, guns and other illegal activity.
At any given time, you can purchase the following items, amongst others, on the dark web:
- Bank accounts/credit cards
- Database access or copies of them
- Admin accounts for miscellaneous websites and businesses
- Malware/botnets/DDoS services/hackers for hire
- Counterfeit passports/money/identification
- Netflix/Spotify/Amazon accounts
- Gift cards
If it’s illegal or can be stolen, it can likely be found on some corner of the dark web.
Want to make a quick buck with some ransomware? A variant of GoldenEye is available for 100 USD (82 EUR) — or pay a bit more and use the Ransomware as a Service (RaaS) route and pay to have someone do it all for you — you just give them the target. Malware, malware as a service, botnets, rootkits, exploit kits, exploits, are all available. You can even buy advanced hacking tools, with tech support included. Some cost a significant amount, while others are relatively inexpensive. And, to further maintain a sense of anonymity, many transactions are conducted using Bitcoin.
Why the dark web?
Some of the most recent — and most advanced — cyber threats have originated from the dark web. Monitoring the dark web can certainly assist in attempting understand the ever-persistent and ever-evolving threats. Monitoring those spaces can greatly assist security researchers to stay ahead of the ever-changing threat landscape and threat actor plans. What malicious tools are available? What are the newest toolkits? What are the newest exploits?
If you can learn about the tools and techniques threat actors are using, you have the opportunity to use the information to improve your own practices and controls and mitigate potential impact of an attack. Simply being on the sites, observing the chatter, and recognizing the trends provides value in the view of the threat landscape.
If, for instance, you are a threat researcher for a bank and come across a dark web user inquiring about SWIFT documentation and procedures in one post, phishing guidance in another and finally discussing purchasing malware you may want to start creating a profile for this user. If you track a user’s posts long enough you may start to see a pattern. While all discoveries may not prevent an attack, you can still prepare, put proper safeguards in place and mitigate a potential threat. You can use tools and data gathered from the dark web to help improve your own practices and controls.
How do I access the dark web?
This blog post is not meant to make anyone an expert in the dark web but is intended to be a high-level overview of things to consider. It’s always prudent to first reach out to trusted service providers with appropriate experience.
If you start exploring the dark web, you can easily raise your own risk profile and get yourself in trouble if you are not careful about what you are doing.
All that said, a simplified version of three steps to accessing and monitoring the dark web includes:
- Downloading and using Tor
- Creating a sock puppet
- Building your dark web reputation
Step 1: Download Tor (The Onion Router)
Use Tor, or another dark web software suite. The dark web is an isolated part of the internet not easily, or securely accessible, without specific software such as Tor, I2P, Freenet etc. The reason special software like Tor is needed is to ensure all users and hosts on the network are following a unified standard of encryption and anonymity. Using Tor allows users to conform to the requirements necessary to access the dark web and puts users on the same network as the other users and hosts.
A privacy-minded individual can use Tor to anonymously browse the open web but the application itself has a stigma of being associated with illegal or malicious activity. This provides privacy and anonymity while on the Tor network — exactly what criminals want while conducting illegal activities. There are more secure and advanced methods to connect to the dark web rather than simply using Tor — this will be covered in future stories detailing best practices on the dark web.
Step 2: Create a sock puppet
Develop—a “sock puppet” — an alternate online identity and persona used for the purposes of deception — so that your “sock puppet” is active on the dark web, not you. You may not be a criminal, but your sock puppet is —at least that’s what you want everyone on the dark web needs to think.
Many sites on the dark web require little-to-no authentication. Often, simply registering a new account, without even verifying an email, is all that’s required for access. Some sites require new users to go through a vetting process. For hacking related sites, most need proof you are “one of them” such as coding malware in Python, or providing data from an unreleased breach. There are no generally defined requirements for access, so for many locations access is provided at the discretion of the site administrators.
Some sites require a “buy-in” where you pay some quantity of Bitcoin to gain access. Some sites are invitation only, or require a current user of the site to vouch for them. On these types of sites reputation is worth more than gold.
This is where a sock puppet comes into play. You never want to operate within the dark web as yourself and you wouldn’t want any activity on it being tied back to the real you.
Step 3: Build your reputation
Build a reputation based on your sock puppet. You can’t just walk right onto the deepest corners of the dark web. You need to make a name for yourself — gain a reputation — to get invited into the secret club. This is the equivalent of “street cred”.
This is trickiest step in the process, because you don’t want to get sucked into committing illegal acts to prove yourself. The good news is that there are ways to help do this which do not require you to break the law.
We discussed challenges and benefits of understanding and operating in the dark web. Information available on the dark web can be invaluable in helping organizations understand the tools and techniques available to threat actors. If you are charged with protecting your organization’s environment, this information can help you gain valuable insight into the capabilities of the enemy.